Syslog Flow Export
Generate Syslog messages on initial flow-rule
classification and end-of-flow for all flows handled by the ION
device. These Syslog messages are in RFC 5424 format. You may configure
to export flow logs from an ION device to one or more Syslog servers.
The minimum device software version required for flow logging
is Release 5.1.17 or Release 5.2.3.
The
Format
of the flow log and description
of the different fields exported in the flow logs are listed below: Some of the fields are reserved for future use, and therefore,
will not be populated in the flow log.
Field Name | Description |
|---|---|
event time | Time event occurred on the ION device |
src ip | Source IP address |
dst ip | Destination IP address |
dst port | Destination port |
protocol name | Protocol name |
reserved for future use | Field will be always blank in cgxFlowLogV1 |
reserved for future use | Field will be always blank in cgxFlowLogV1 |
pkts sent | Number of packets sent from src ip to dst
ip |
pkts recvd | Number of packets received from dst ip by
src ip |
bytes sent | Total bytes sent from src ip to dst ip |
bytes recvd | Total bytes received from dst ip by src
ip |
src interface | Interface from which traffic originated |
dst interface | Interface from which traffic egressed |
path id | Prisma SD-WAN Path ID of the WAN Path |
app name | Name of Prisma SD-WAN-matched Application |
flow event | Event that triggered flow export:
|
zbfw classification rules | One or more ZBFW classification rules separated
by a semi-colon(;). ZBFW classification rules include: Rule
Name: Source Zone Name: Destination Zone Name: Action: Action Code
Possible
Action Code Values:
|
Sample flow log in RFC 5424 format as shown below:
<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593 - -2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1
Code copied to clipboard
Unable to copy due to lack of browser support.
The above Syslog message has a header and a body. The Syslog
message values populated for the header and the body are:
Syslog Message Header | Header Component Sample Values |
|---|---|
Priority | <13> |
Version | 1 |
Syslog export time in UTC | 2020-01-28T23:46:17.000035+00:00 |
Element device name | T1S3_SPOKE1 |
App name to identify flow event logs | cgxFlowLogV1 |
Process id of log generator | 13593 |
Message id (empty) | Message id field is not populated by the
ION device at this time. |
Structured data (empty) | Structured data field is not populated by
the ION device at this time. |
Syslog Message Body | Syslog Message Sample Body |
Flow event log in CSV format | 2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New
Flow,Allow-All:allow:1 |
Syslog message body shown above in CSV format can be interpreted
as:
Headers | Sample Values |
|---|---|
Time event happened | 2020-01-28T23:46:17 |
src ip | 10.2.53.102 |
src port | 52520 |
dst ip | 10.2.13.100 |
dst port | 80 |
protocol name | tcp |
pkts sent | 0 |
pkts recvd | 0 |
bytes sent | 0 |
bytes recvd | 0 |
dst interface | LondonPriWI1 |
path id | 15796434157670062 |
app name | enterprise-http |
flow event | New Flow |
zbfw classification rules | Allow-All:self:unknown:allow:1 |
Recommended For You
Recommended Videos
Recommended videos not found.
